28 October 2019

New "Raccoon" infostealer already infected more than 100,000 victims around the world

New "Raccoon" infostealer already infected more than 100,000 victims around the world

The "Raccoon" infostealer, first discovered in the wild earlier this year, is rapidly gaining popularity on underground forums due to its low cost and ability to steal a wide range of data, including credit card numbers and cryptocurrency wallets. Despite not being overly sophisticated or innovative, the malware (also known as Mohazo and Racealer) has already infected more than hundreds of thousands devices all over the world and currently is one of the 2019 Top 10 most mentioned malware on the underground forums, according to a new report from Cybereason.

While the "Raccoon" malware lacks sophistication and does not provide extensive capabilities, it has some perks, such as ease of use, several potential delivery methods, and the ability to steal a wide range of data, including credit card information, cryptocurrency wallets, browser data, and email credentials, Cybereason says.

Raccoon, which first was spotted in the wild in April, appears to have originated within Russian cybercriminal underground, but quickly spread to English-language forums, according to the analysis.

Distributed as a malware-as-a-service model, cybercriminals only need access to a Tor-hosted control panel to initiate attacks using Raccoon against whatever target they pick. Currently, the subscription is costing $200 per month, according to the researchers. The malware, written in C++, is delivered via multiple ways, typically, through Fallout and RIG exploit kits, phishing attacks leveraging malicious Office documents that hide macros to deliver and install Raccoon on different devices, and through bundled malware. Raccoon is able to work on both 32-bit and 64-bit operating systems. Once Raccoon is installed on an infected Windows device, it connects to a command-and-control server and begins to check location data. It searches system files for a range of confidential data which it saves and sends to its operator. 

The Raccoon stealer checks the target machine’s local settings and compares it against a list of languages, including Russian, Ukrainian, Belarussian, Kazakh, Kyrgyz, Armenian, Tajik, and Uzbek. If the target machine’s local settings match one of these languages, the malware immediately aborts – a common practice for malware originating from CIS countries. Considering this clue and several other details, the researchers theoreticized that developers behind this malware are of Russian origin.

“Many in the community praise and endorse Raccoon’s malware capabilities and the services the team provides. Some voices in the community even endorse it as a worthy replacement for the famous Azorult stealer,” Cybereason says.

Although Raccoon is still under active development, researchers say that “its popularity, even with a limited feature set, signals the continuation of a growing trend of the commoditization of malware as they follow a MaaS model and evolve their efforts.”

Back to the list

Latest Posts

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

The TA2101 gang used malicious emails to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware.
15 November 2019
APT33 hackers set up their own VPN network to thwart tracking

APT33 hackers set up their own VPN network to thwart tracking

APT33 used its private VPN network for reconnaissance of networks that are relevant to the supply chain of the oil industry.
14 November 2019
New unusual ransomware is hunting for enterprise servers

New unusual ransomware is hunting for enterprise servers

New PureLocker ransomware seems to have links to the malware provider used by Cobalt and FIN6 hacking groups.
13 November 2019
Featured vulnerabilities
Debian update for postgresql-common
Low Patched | 15 Nov, 2019
Cross-site scripting in Pimcore
Low Patched | 15 Nov, 2019
Multiple vulnerabilities in Pimcore
Medium Patched | 15 Nov, 2019